Package: openssl Version: 1.1.0f-3 Severity: normal Dear Maintainer,
After upgrading to stretch, one of our client complained that he couldn’t access to one of our website with Internet Explorer 8 on Windows XP. After investigation, it looks like that the cipher recommended by Mozilla (using https://mozilla.github.io/server-side-tls/ssl-config-generator/) for IE8 compatibility, DES-CBC3-SHA, despite being enabled in /etc/nginx/nginx.conf, is not present in the ciphers recognized by our server (TLS_RSA_WITH_3DES_EDE_CBC_SHA not present in nmap localhost -p 443 --script=ssl-enum-ciphers) It ss also absent from openssl ciphers -V ALL:COMPLEMENTOFALL. A quick glance on this list show that there is no cipher compatible with IE8 (https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP&key=101) The cipher is still present in the ciphers(1ssl) manpage. -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssl depends on: ii libc6 2.24-11+deb9u1 ii libssl1.1 1.1.0f-3 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20161130+nmu1 -- no debconf information
